Source anchors
How to use this checklist
Use this checklist to audit whether records explain what happened, who decided, why it was lawful and how confidential information was protected. It can be used monthly, after a records audit, after a confidentiality breach, after an incident linked to poor records, before governance review, or before an inspection-readiness review.
This checklist treats records as a safety and governance control. It checks whether the service can retrieve the right information, whether the record is good enough for continuity of care, and whether access and sharing are controlled.
For each row, record:
- Met: evidence is current and complete.
- Part met: evidence exists but has a gap or needs follow-up.
- Not met: evidence is absent or the control is not working.
- Not applicable: the service does not carry out this activity.
Every Part met or Not met item should create an action with an owner and due date.
The PDF is designed for printing, or for completing on screen with a PDF viewer's Fill & Sign, Markup or comment tools. Use those tools to tick boxes and type into the lines.
Service details
| Field |
Local entry |
| Service name |
|
| Location |
|
| Date completed |
|
| Completed by |
|
| Registered Manager |
|
| Information Governance Lead |
|
| Clinical Lead or Care Lead |
|
| Period reviewed |
|
1. Record system and ownership
| Check |
Evidence to review |
Status |
Action owner |
Due date |
| Record systems and record locations are defined. |
System list, procedure, staff guidance. |
|
|
|
| Each record type has an owner and retention rule. |
Retention schedule, role list. |
|
|
|
| Staff know where each record should be made and stored. |
Staff interview, induction record. |
|
|
|
| Electronic systems are backed up or covered by continuity arrangements. |
Backup evidence, business continuity plan. |
|
|
|
| Paper records are stored securely and tracked where moved. |
Storage check, movement log. |
|
|
|
| Record audit cadence is defined and followed. |
Audit schedule, completed audit. |
|
|
|
2. Record quality and contemporaneous entries
| Check |
Evidence to review |
Status |
Action owner |
Due date |
| Records are accurate, complete, factual and attributable. |
Record sample. |
|
|
|
| Records are made at the time or as soon as reasonably possible. |
Timestamp sample, late-entry log. |
|
|
|
| Records show what happened, what was decided and why. |
Record sample, decision note. |
|
|
|
| Corrections and amendments preserve the audit trail. |
Correction sample, system audit log. |
|
|
|
| Late entries are clearly labelled with the reason for delay. |
Late-entry sample. |
|
|
|
| Vague or judgmental wording is challenged and corrected through supervision or audit. |
Audit findings, supervision note. |
|
|
|
3. Consent, risk, incidents and safeguarding records
| Check |
Evidence to review |
Status |
Action owner |
Due date |
| Consent and capacity decisions are recorded with reasoning. |
Consent or MCA sample. |
|
|
|
| Risk assessments and care plans are updated after change, incident or review. |
Risk assessment, care plan. |
|
|
|
| Incident, complaint and safeguarding records link to actions and learning. |
Incident or safeguarding sample. |
|
|
|
| Information shared for safeguarding or serious risk is recorded with rationale. |
Disclosure note, safeguarding record. |
|
|
|
| Duty-of-candour and notification evidence is linked where relevant. |
Candour record, CQC notification. |
|
|
|
| Record gaps are escalated where they affect safe care or governance. |
Escalation note, action log. |
|
|
|
4. Confidentiality, access and sharing
| Check |
Evidence to review |
Status |
Action owner |
Due date |
| Access permissions are role-based and approved. |
Access list, approval record. |
|
|
|
| Access is removed promptly when staff leave or change role. |
Leaver checklist, access review. |
|
|
|
| Staff do not use shared logins unless formally approved with controls. |
System settings, exception record. |
|
|
|
| Information sharing decisions are lawful, necessary and recorded. |
Data sharing sample, disclosure note. |
|
|
|
| Staff check recipient details and minimum necessary content before sending information. |
Communication audit, staff interview. |
|
|
|
| Privacy information and confidentiality limits are explained to people using the service. |
Privacy notice, consent or communication record. |
|
|
|
5. Retention, disposal and continuity
| Check |
Evidence to review |
Status |
Action owner |
Due date |
| Retention schedule covers care, clinical, staff, governance and financial records. |
Retention schedule. |
|
|
|
| Archived records are retrievable by authorised people. |
Archive index, retrieval test. |
|
|
|
| Disposal is authorised, secure and evidenced. |
Disposal certificate, destruction log. |
|
|
|
| Mobile, remote and portable records are controlled. |
Remote-working record, device policy. |
|
|
|
| System downtime arrangements protect continuity of care. |
Downtime plan, test record. |
|
|
|
| Supplier or processor arrangements cover confidentiality and data protection duties. |
Contract, data protection schedule. |
|
|
|
6. Audit, breach and governance
| Check |
Evidence to review |
Status |
Action owner |
Due date |
| Record-keeping and access audits run at a stated cadence. |
Completed audit, access review. |
|
|
|
| Breaches and near misses are reported, contained and investigated. |
Breach log, incident record. |
|
|
|
| ICO, CQC, commissioner or person-notification decisions are recorded where relevant. |
Breach decision note. |
|
|
|
| Audit findings create actions with owners, due dates and completion evidence. |
Action log, improvement actions. |
|
|
|
| Repeated record or confidentiality gaps are reviewed as workforce or governance themes. |
Governance minutes, supervision themes. |
|
|
|
| Learning links to training, supervision, risk management and business continuity. |
Training update, risk register, continuity action. |
|
|
|
7. Summary judgement
| Question |
Answer |
| Which record type has the weakest evidence trail? |
|
| Which access, sharing or confidentiality control has the highest current risk? |
|
| Which late entry, correction or missing record needs review? |
|
| Which breach, near miss or audit action is overdue? |
|
| What would a CQC inspector see if they asked for records evidence today? |
|
8. Action log
| Action |
Source check |
Owner |
Due date |
Completion evidence |
|
|
|
|
|
9. Completion
| Sign-off |
Name |
Date |
| Completed by |
|
|
| Reviewed by Registered Manager |
|
|
This checklist is a working tool. It does not replace live regulator guidance, legal advice, data protection advice, professional standards, safeguarding advice, clinical judgement or sector-specific record retention requirements.
Related reading
This checklist is a starting point and a guide to what inspectors look for. It is not a complete or deployable procedure, and it is not legal advice. Working through it does not guarantee a rating or compliance. Check all regulatory references and timescales against current primary sources and adapt it to your own service.